[yannis]

Black swan events can happen to you. Recently I traveled to a European country from my base (Middle East). I normally take my phone and laptop with me and they are synced. I forgot the laptop charger and could not get one locally not at least for about a week and then dropped my phone and it got damaged. I bought another phone (Adroid) and tried to log in to by google accounts. It recognized the email and the pswd but then wanted verification from the original device! Despite having the original sim in the new phone.

On my return everything went smoothly through my laptop. Scary though.

My conclusion - have two physical phones + laptop all synced, plus hardcopy of important pswds etc.

Data is easier to protect by offline and online back-ups, but your online identity is hard.

[hedora]

I had a similar experience with google a while back.

My conclusion: Eliminate what little remaining usages of their services I have.

Doing that with iCloud and Google would be a colossal pain. This event has me thinking more seriously about self-hosting a few more things.

[HenryBemis]

> My conclusion: Eliminate what little remaining usages of their services I have.

This. I never used the Apple's Cloud offerings to backup things - and I stopped using any Apple devices since the BatteryGate. I semi-degooglify my Android(s), and never use the "Google-*" (contacts, calendar, etc.). I block them with NoRoot Firewall and disable them, and use other apps for those services. I sync with my Oulook (2013) and my backup is with Carbonite. I do have to jump through a couple of hoops, but considering that I don't live under the threat of 'death' by Apple or Google to hold me hostage with my data/etc, the little effort is well worth it.

[rufus_foreman]

>> I never used the Apple's Cloud offerings to backup things

I try not to, but every year I log in and check and there is data stored in their cloud that I specifically tried not to have stored there.

[genevra]

Exactly. I recently had the same experience of being locked out when I lost my old device and had no recourse. My conclusion was the same and I've stopped relying on all Google services except Gmail.

[pmarreck]

> when I lost my old device and had no recourse

Well, if you used Google 2FA, the Authy app exists, and allows you to securely store 2FA in the cloud (as long as you remember your Authy credentials).

If you don't, then yes, your physical phone essentially becomes a dongle and if you lose it, you're screwed. Perhaps they don't educate users enough about this, but that's the fact

[layer8]

Don't bind your online identity to Apple or Google or Microsoft, in particular not the email addresses you use for accounts. That at least limits the damage they can do.

[CydeWeys]

Fundamentally it's going to be be bound to someone though. If you run your own domain to host your main email address, you're now bound to the registrar's login to manage that domain name, and also the cloud provider you're using to host the mail services (unless you run that off a machine you have physical access to).

[kelnos]

Sure, but I'd much rather be bound to a domain registrar, where I'm paying them for a small, well-defined, self-contained service, where I have recourse if they do someone shady to me.

For Google/Apple/etc., I'm either not paying them at all (in which case they have very little incentive to help me off someone goes wrong), or I am, but for a basket of services. The identity portion of those services is probably not what that company is focusing on providing, and any weirdness with any other service in that basket could cause me to lose my access to the identity bits, often without recourse.

[layer8]

Yes, but you can choose a medium-sized, established registrar with a functioning human support desk, where you are the customer instead of the product driving hyperscale ad revenue. The hosting provider is not an issue, because you can switch very quickly to a different one if needed, and only have to change your DNS entry at the registrar, or whatever you use as your nameservers. Depending on your country’s jurisdiction, you also may have some legal rights to the domains you acquire under the country TLD and are not exclusively at the mercy of the registrar.

[EasyMark]

If you use your own domain, open source software, and backup often they can't lock you up forever like Google/Microsoft/Apple tho

[CydeWeys]

You're missing my point that you're still beholden to the domain name registrar that manages your domain name on your behalf. That account getting permanently locked out will have all the same bad consequences for your online life as your Google account getting locked out.

And keep in mind that being a domain name registrar is a low margin business (typically they're only grossing a few bucks per domain per year, before accounting for any other expenses like staffing and systems), so you're not gonna get great support.

[the8472]

My understandingis is that legally you own the domain and the registrar is only managing it on your behalf and they are required to transfer it to another registrar if they terminate you as a customer. As recently happened for russian users on namecheap for example.

[qingcharles]

This. My TOTP 2FA for Namecheap just stopped working one day, despite nothing changing. I was totally locked out. I got lucky and their support was helpful and we reset it after a few hours, but it made me realize that there is no way to be 100% safe.

(My Google account is dead even though I have the username, password and recovery email which forwards to me since I don't have the phone number)

[wwweston]

At some level, every business has incentives to minimize what they provide you vs what you provide them. But even low margin businesses where you’re the customer are more likely to have incentives and structures built around paying attention to you than low margin per user businesses where users aren’t the customer but part of the product.

[imwillofficial]

I don’t think anyone is arguing that they can get away from the chain of trust required to operate in the modern world.

I believe they are advocating for minimizing risk by not deeply integrating with capricious cloud providers.

[lanstin]

I host my own email service and several times have had the registrars get sold and once sold and then the purchasing registry discontinued the registry service, or maybe the secondary DNS. They generally have support that at least understands how DNS works, which I find surprisingly rare among tech folks.

However the big problem is I am frequently banned from emailing gmail or office365. Never Apple for some reason. So I can read email but I can’t that well send it. But I don’t really care much, mostly people have to tell me out of band to check my email if they have sent me email. My email sessions are mostly a review of current spam practices and questionable emails from firms I have done business with.

[Animats]

The backup for that is a registered trademark on the domain. Recovery via ICANN procedures is slow, though.

[account42]

Registrars are beholden to the registry and ultimately to ICANN rules (for classic TLDs at least. They can't just fuck you over whenever they feel like in the same way that Google/Microsoft/Apple can with their services.

[paulmd]

Some failure states are unique to people who exist in these weird edge-case states though. Like the person who had their luggage stolen, the person registered the laptop to their own account, then returned it still paired. And apple wouldn’t un-pair it from Find My even with a police report documenting it all, therefore it’s bricked.

(And to be fair to apple here - they didn’t do anything wrong here, strong end-to-end security inherently means allowing these states. Otherwise the cops could order apple to unlock it too, and apple wouldn’t have a moral ground to object if they’re regularly performing the task in other circumstances. Otherwise people could social-engineer apple support to unlock a stolen device, or their partners. To a certain mindset, google and apple not having any real support is a strength because there’s no way to social-engineer your way past the actual security. But people want both the idea of E2E security and the convenience of being able to remotely un-register a laptop from someone else's account...)

Anyway, that failure mode wouldn’t exist if they were logged in to their account, and e2e encryption makes that a very low-risk thing overall.

Apple can’t see where to it devices are anyway, without doing a song-and-dance to authorize the session on a pre-authed device. Airtags and iphones have a rolling hardware identifier for bluetooth and wifi based on a cryptographically strong pseudorandom sequence, and apple can't correlate the identifiers back to an actual device without a pre-authed device relaying the sequence from your account. Etc etc.

Apple have actually done the legwork to make sure they can't see anything (or be forced to reveal anything) if you don't want them to (by enabling E2E), and that actually does drive a lot of "user-unfriendly decisions". And sure, android people will say "that's awfully convenient", but, the end state is still a lot stronger than any other major offering regardless of why you think they're doing it.

[notyourwork]

There really isn’t a good solution for this for the masses, is there?

[layer8]

Buying a domain is not difficult, nor is configuring it with a mail service like Fastmail. Yes, it’s slightly more involved than signing up at GMail, but it’s less complicated than doing your taxes (YMMV). The more people do it, the more helpful resources and service would appear for it. The problem is most people don’t care until they get unlucky and their account gets cancelled for inscrutable reasons. It would be better to have regulation that protects users.

[stouset]

The risk of an average person forgetting to update their credit card details and irrecoverably losing a personal domain is almost certainly thousands of times higher than them being accidentally and permanently locked out of a Google or iCloud account.

[layer8]

Where I live, the most common payment method for such services is direct debit from your bank account, where the details never change unless you switch banks; and in the rare event that you switch, you can make use of a service that banks are legally required to provide for transferring debit mandates to the new account. I bought my first domain about twenty years ago and never had to change anything regarding payment.

[stouset]

A lot of people live paycheck to paycheck. I’d wager even more people on average would lose their domains with this approach either by forgetting to or being unable to put the necessary funds in their account, and having the payment declined.

Losing your entire online identity because you didn’t pay on time is an absolute show stopper for an enormous number of people.

Most people are not tech people. They do not know or car, or even care to know, about the details and importance of maintaining and protecting an online identity. They won’t remember to update payment details until things start failing. They won’t check their email frequently enough to notice before this happens. They will ignore text messages, either assuming they’re scams, spam, or unimportant.

[notyourwork]

Although I can and have managed domains and mail services, I don’t agree that what you described is for the majority. Do you really think that’s true?

[layer8]

In the current state, the majority will need some help, similar to how they need some help when something goes wrong with their laptop. But as I said, if this would become a more widespread practice, more services would become available that make it easy and that help in case of trouble.

The biggest impediment is probably that most people aren’t willing to pay (say) $10 per month for a domain and email hosting like they do for streaming services, because they’re used to email being free. So they remain at the mercy of the big providers.

But I can at least encourage the HN crowd here to move to independent services and to use their own domain.

[notyourwork]

You’re first two sentences prove my point that this is not adoptable by most. Cell phones are ubiquitous and permeated all tiers of society. Hosting your own domain and email isn’t. I get the limitations but my point was that this isn’t practical by most for technical reasons. Ignoring the financial challenges of convincing people to spend money on something that has been free for their entire life.

[adamomada]

You can use your own domain with Google at least, and I’m guessing Microsoft as well. It could be a good middle ground where you control your email and just let google,etc use it for the time being. It looks just like gmail but you can always get out if you have to.

[CatWChainsaw]

Which is why they make it so hard to avoid doing this.

[layer8]

Using your own email account doesn’t generally make things more difficult.

[CatWChainsaw]

I'm thinking of Microsoft Accounts on PCs and how you need to know how to jump through hoops to avoid them at OOBE. And about how this is about AppleIDs and losing them - it's my understanding that Apple is less aggressive about AppleIDs than Microsoft is about Microsoft accounts, but also, TFA. Google has similar levels of fuckery especially if you're on Chromebooks but Google's sin is nonexistent customer support. I wouldn't want my most important email address to be tied to any of these three, although I speak as a gmail-using hypocrite who plans to change that soon.

[toast0]

The thing that really bugs me about Google is you can make an account tied to an unrelated domain, but then they don't let you use that for a lot of things, so you're forced into a gmail account.

[rchaud]

iTunes didn't even allow you to add your own album art. To do so you had to be signed in with Apple ID, so Apple could look up the album details on the iTunes store and set the image that way.

This was in 2008, so the software ecosystem lock-in strategy was already well-established back then.

[imwillofficial]

I was adding my own album art to ripped CDs since well before 2008.

[lapcat]

This is utterly false: https://www.youtube.com/watch?v=bnBsIAiZfFc

You could always edit artwork in iTunes. Indeed, you could import albums from your own CDs and not even use the iTunes Music Store at all.

[rchaud]

The video you linked is from 2015, almost a decade after the time period I referenced in my comment.

[ssl-3]

Or, keep a set of single-use backup codes for 2FA. Google offers this[1], though I don't know if Apple does or not.

Storing them seems problematic, but it really isn't: They're just random-looking 8-digit numbers and nobody but you needs to know that they belong to your Google account.

Or, KISS. If you're happy with the idea that the SIM card controls the key to the castle, as it seems that you are, then: Put a backup code in a contact in your SIM card. (It is kind of a lost art these days, but SIM cards are still data storage devices here in 2024.)

[1]: https://support.google.com/accounts/answer/1187538?hl=en&co=...

[gruez]

> It recognized the email and the pswd but then wanted verification from the original device!

Did you have 2fa enabled by any chance? I have 2fa via TOTP on my accounts and while they offer using a signed in phone as a verification option, using TOTP was always an option, and I was never locked out of my account.

>Despite having the original sim in the new phone.

That would only help if google had some way of tying the installed sim to your account. Given the privacy implications and the technical difficulties, I wouldn't be outraged at the fact it didn't take your sim into consideration.

[yannis]

Yes I had 2fa + OTP, however being a new phone they still ask you to tap on the old phone.

[gruez]

Are you talking about a prompt like this[1]? If so, there should be a poorly named "more options" or "don't have your phone?" link that gives you the option to enter your TOTP code instead.

[1] https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh...

[theragra]

I vaguely remember situation where it was not possible for me to choose such option, but I don't remember details

[TeMPOraL]

> My conclusion - have two physical phones + laptop all synced, plus hardcopy of important pswds etc.

And then say, Meta decides to ask for login verification on your other device, and you lose that account because you always logged to it through a browswer in private mode, so no device actually has an active session. Happened to my wife the other day.

IT "Security" is reaching new heights of being bullshit. You can't win, and asking people to buy multiple devices and keep them continuously in sync is a bit much, and not even a guarantee of safety anyway, as next week Google or Amazon will hit you with some next weird trap to keep you "sekhure".

[zadokshi]

I can easily imagine an AI algorithm noticing a user has two phones, and deciding that is out of the ordinary and suspicious, and locking you out of both.

[gruez]

>IT "Security" is reaching new heights of being bullshit. You can't win, and asking people to buy multiple devices and keep them continuously in sync is a bit much

You likely don't need to buy multiple devices. I log in from random countries/VPNs all the time and never have issues, but I do have 2fa enabled. If your account only has a password and there was a suspicious sign in attempt, it's reasonable for them to ask for additional verification somehow because you could be a victim of a credential stuffing attack. It's hard for companies to win here. Either people complain about their accounts getting randomly locked because they were on vacation in Romania and tried signing in on a new device, or the companies get grilled by the media for "failing to proactively protect their users' data" or whatever.

[TeMPOraL]

I would agree with you if there actually was anything different in a suspicious way about those logins. There weren't. Same devices, same ISP, same browsers, not even an OS update in between. Just one day, few days ago, out of the blue, Facebook decided to pop up a conformation request, offering no alternative to confirming from "another device", and that's with them knowing (or at least having that information available) that there are no live sessions of that account (the whole browser in private mode thing).

Maybe the companies can't win, but they also have themselves to blame. They shouldn't have convinced people to entrust their only copies of data with them. Your vacation photos should not depend on someone's cloud platform. Half of your entire offline life shouldn't depend on Google not randomly locking you out of GMail. But here we are, and I'll keep calling those "security updates" bullshit because they don't care about long tail, and they don't care about hazards they create for most of their users.

[figglestar]

My experience with Meta is it is just a PII fishing expedition masquerading as a security check.

I abandoned my facebook account when they asked for my driver's license scan, a few weeks later suddenly they didn't need it after all. My BIL recently wanted me to check sout omething he had setup on facebook and I found I could "login" by clicking one of the "what are people doing" spam emails they send. I've never used it on this PC before and have no idea what the password even is anymore. Super secure.

[GoblinSlayer]

What would happen if you send them a realistic, but fake generated scan?

[zadokshi]

How many laws would that break?

[dns_snek]

> and that's with them knowing (or at least having that information available) that there are no live sessions of that account (the whole browser in private mode thing).

Unless you explicitly logged out, they likely to see the opposite picture, i.e. numerous "valid" sessions (as opposed to active) that haven't been used for varying lengths of time because you logged in, but from their perspective, you never logged out. You just cleared your cookies which means the session is still "valid", even if it's inaccessible to you because the session cookies have been cleared from your device.

I don't know if they take any of this into account but as you've pointed out, assuming that the rightful owner of the account must have access to a different session is a huge assumption to make.

[GoblinSlayer]

That's the reason to setup 2fa, because otherwise monopolies can legally kick you. Well, they can kick you anyway, because they are monopolies.

[TeMPOraL]

2FA makes it easier, not harder, to lose access to your account though.

[treflop]

1. Use two-factor auth.

2. Save those backup codes.

3. Be able to get those backup codes in some worst case scenario.

I have had to start from scratch before but never have been locked out.

[marcosdumay]

4 - Discover that those backup codes are useless because the service provider will refuse to acknowledge them when you travel.

The fact that we are stuck with a pair of global apathetic undemocratic identity providers is absurd. And one of the reasons why that "shattered dream of passkeys" is on the front page. At least that dream got shattered, it would be worse if it went through.

[r00fus]

I need to hear more about this scenario.

[andersa]

This is standard Google behavior. Logging into Google on any new device always asks me to confirm it on one of the other devices that are logged in (i.e. phones, tablets). Suppose it's some kind of 2FA.

[yannis]

I understand the security concept of it. Luckily my trip was short. As I also use wechat to communicate with some Chinese friends, my experience was different. First it send me an OTP on the new phone, then asked for two friends to send a number to the phone. Luckily I had the phone number of one and I managed to restore and to be honest having humans in the pipeline was a plus. Negative this had to be done over 5 minutes otherwise you back to square one.

[BiteCode_dev]

A google account is not required to use an Android device.

So if you don't tie all your contacts, sync and backup to your google account, you can have a phone that they won't lock you out of.

[SkyPuncher]

This is actually great. You basically look like a stolen device with a sim swap.

[05]

How would the thieves know the password? Even unlocked iPhones don’t show saved passwords without Face ID prompt..

[SkyPuncher]

A reused password that was breached somewhere else.

[fauigerzigerk]

>My conclusion - have two physical phones + laptop all synced, plus hardcopy of important pswds etc.

Why do you need more than a single phone plus a hardcopy of your Google recovery codes (assuming you know your Google account password)?

[CatWChainsaw]

In case one phone doesn't work or is lost or stolen or broken, I guess. Plus buying a second phone is great for the economy!

Society was collectively sold this deal where if you entrust everything to a trillion-dollar company, you'll be treated well and this sort of thing wouldn't happen. Yet it appears to be happening, and the trillion-dollar company that has the resources to deal with this so far isn't being very helpful, and it's falling to the consumer to take insane amounts of proactive measures to not have their digital lives fucked up when the exact deal was that you wouldn't have to, but of course now the party line will be "well you were obviously stupid to believe the trillion-dollar company's trillion-dollar marketing, then."

And I'm annoyed as one of the people who did not buy into it.

[rchaud]

Even more damaging is the lie that modern tech continues to sell people: that they're too stupid to use computing technology, and all the restrictions of the platform (relative to real computers) are actually for their benefit and not the corporation's.

[CatWChainsaw]

And, almost everything is a "computer" nowadays, from your phone to your car to your refrigerator, but only the OG computer is even remotely "fixable" to the average consumer. All the others, you're hamstrung and forced to go through official channels for subpar, marked-up service because if you try to do anything yourself they'll brick your device and maybe sue you for good measure.

[adamomada]

I think the modern definition of computer is something with a screen and keyboard. While you’re right that almost everything has a chip in it, calling your fridge a computer is disingenuous.

[CatWChainsaw]

Ah, but a smart fridge has a screen and a keyboard now too, and so do car consoles :)

[gwerbret]

> Why do you need more than a single phone plus a hardcopy of your Google recovery codes

Because, as I can tell from a similar experience to GP's, they also won't save you if the authentication infrastructure decides you're not who you say you are.

[fauigerzigerk]

If I lost my phone, I would still have access to three different recovery methods:

- I have my recovery codes

- I have access to my recovery email address

- I have access to a TOTP token

I would hope this is sufficient to persuade Google's authentication infrastructure to let me in.

[shanemhansen]

As I learned in Google SRE: "hope is not a strategy"

[fauigerzigerk]

Hope is part of every strategy that doesn't have infinite cost.